The SSL blade performs the SSL termination for the site. As such, when we perform a certificate authentication / negotiation, then the authentication occurs with the SSL blade. In order to integrate the certificate authentication with GetAccess and provide a secure SSO session based on the user's cert, GetAccess needs to see the client certificate.
The SSL blade can send through the user's client certificate (and associated information in the HTTP headers) on the very first access after making a certificate authentication to the SSL blade. GetAccess takes this certificate and can then map the information to a user in the directory and create a secure session for the user. This works.
The problem is that this can ONLY happen on the very first access. If the user opens a browser to a client certificate protected site and then clicks a link to login, then it will not work. The SSL blade will only send through the cert on the first access to the site. By the time the user clicks a link, then first access has happened. The SSL blade will not send another certificate header for that user until they have closed their browser and re-authenticated. Hence, the SSL blade will no longer send any certificate information about the user. GetAccess sees an authentication request with an empty certificate header and cannot login the user. This is different functionality from a web server as it can present the certificate environment on every request.
We have found a way to make this work. When the user opens a browser and goes to the secure site, it is not client certificate protected. When the user clicks a link to login via digital certificate, then we redirect the browser to a different website that requires client certs, and then redirect them back. Unfortunately, this only works once. If the user logs out of GetAccess or times out (idle timeout / general timeout), then the user will not be able to login again until they close their browser. This is a major issue as people expect to be able to login to a site multiple times without closing their browser every time. The SSL blade needs to have the functionality to send the client certificate headers on every protected access.
Cisco IOS Software, SVCSSL Software (SVCSSL-K9Y9-M), Version 12.3(8)IA)
cisco SVCSSL (revision ) with 131072K bytes of memory.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...